CVE search results

31 – 40 of 86 results

Detailed view

Sort by:

CVE-2017-17790

Medium priority

Some fixes available 4 of 5

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different...

3 affected packages

ruby2.5, ruby1.9.1, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby2.5	—	—	—	Fixed
ruby1.9.1	—	—	—	Not in release
ruby2.3	—	—	—	Not in release

CVE-2017-17742

Medium priority

Some fixes available 6 of 20

Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server...

5 affected packages

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, jruby

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
ruby2.0	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release
ruby2.5	Not in release	Not in release	Not in release	Fixed
jruby	Needs evaluation	—	Vulnerable	Vulnerable

CVE-2017-17405

Medium priority

Fixed

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character,...

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	—	—
ruby2.0	—	—	—	—
ruby2.3	—	—	—	—

CVE-2017-14064

Low priority

Some fixes available 4 of 5

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a...

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	—	Not in release
ruby2.0	—	—	—	Not in release
ruby2.3	—	—	—	Not in release

CVE-2017-14033

Medium priority

Some fixes available 3 of 4

The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.

3 affected packages

ruby1.9.1, ruby2.1, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	—	—
ruby2.1	—	—	—	—
ruby2.3	—	—	—	—

CVE-2017-11465

Medium priority

Not affected

The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to...

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	—	—
ruby2.0	—	—	—	—
ruby2.3	—	—	—	—

CVE-2017-10784

Medium priority

Some fixes available 4 of 5

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary...

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	—	Not in release
ruby2.0	—	—	—	Not in release
ruby2.3	—	—	—	Not in release

CVE-2017-0903

Medium priority

Some fixes available 3 of 10

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can...

4 affected packages

jruby, ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jruby	Not affected	—	Not affected	Not affected
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
ruby2.0	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release

CVE-2017-0902

Medium priority

Some fixes available 3 of 21

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

4 affected packages

ruby1.9.1, ruby2.0, ruby2.3, jruby

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
ruby2.0	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release
jruby	Needs evaluation	—	Vulnerable	Vulnerable

CVE-2017-0901

Medium priority

Some fixes available 4 of 22

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

4 affected packages

jruby, ruby2.0, ruby1.9.1, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jruby	Needs evaluation	—	Vulnerable	Vulnerable
ruby2.0	Not in release	Not in release	Not in release	Not in release
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release

Export to JSON

Results by page:

Search CVE reports